15941200 curl "gmake test" failures s11-update
authorRich Burridge <rich.burridge@oracle.com>
Tue, 19 Nov 2013 07:55:28 -0800
branchs11-update
changeset 2824 ed80ca124641
parent 2823 4650282513ce
child 2825 cb999e84659c
15941200 curl "gmake test" failures 16658714 problem in LIBRARY/CURL 17799440 problem in LIBRARY/CURL
components/curl/patches/010-CVE-2013-4545.patch
components/curl/patches/011-runtests.pl.patch
components/curl/patches/012-CVE-2013-1944.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/curl/patches/010-CVE-2013-4545.patch	Tue Nov 19 07:55:28 2013 -0800
@@ -0,0 +1,21 @@
+CVE-2013-4545: Setting only CURLOPT_SSL_VERIFYHOST without 
+CURLOPT_SSL_VERIFYPEER set should still verify that the host 
+name fields in the server certificate is fine or return failure.
+
+Bug: http://curl.haxx.se/mail/lib-2013-10/0002.html
+Reported-by: Ishan SinghLevett
+
+Relevant upstream patch at:
+https://github.com/bagder/curl/commit/3c3622b6
+
+--- lib/ssluse.c.orig	2013-11-18 06:59:53.408117483 -0800
++++ lib/ssluse.c	2013-11-18 07:00:26.212993187 -0800
[email protected]@ -2357,7 +2357,7 @@
+    * operations.
+    */
+ 
+-  if(!data->set.ssl.verifypeer)
++  if(!data->set.ssl.verifypeer && !data->set.ssl.verifyhost)
+     (void)servercert(conn, connssl, FALSE);
+   else
+     retcode = servercert(conn, connssl, TRUE);
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/curl/patches/011-runtests.pl.patch	Tue Nov 19 07:55:28 2013 -0800
@@ -0,0 +1,37 @@
+The various curl NTLM tests try to LD_PRELOAD a test library
+called .../tests/libtest/.libs/libhostname.so that's been
+created as a pre-requisite to running the numerous Perl tests.
+
+This patch adjusts LD_PRELOAD to be LD_PRELOAD_32 or LD_PRELOAD_64
+depending upon whether we are running the 32 or 64 bit tests.
+
+As this is Solaris specific, this patch will not be pushed upstream.
+
+--- tests/runtests.pl.orig	2013-11-18 07:12:48.748872794 -0800
++++ tests/runtests.pl	2013-11-18 07:15:32.604982653 -0800
[email protected]@ -2405,10 +2405,21 @@
+                     delete $ENV{$var} if($ENV{$var});
+                 }
+                 else {
+-                    if(($var =~ /^LD_PRELOAD/) &&
+-                       ($debug_build || ($has_shared ne "yes"))) {
+-                        # print "Skipping LD_PRELOAD due to no release shared build\n";
+-                        next;
++                    if($var =~ /^LD_PRELOAD/) {
++                        if(exe_ext() && (exe_ext() eq '.exe')) {
++                            # print "Skipping LD_PRELOAD due to lack of OS support\n";
++                            next;
++                        }
++                        if($debug_build || ($has_shared ne "yes")) {
++                            # print "Skipping LD_PRELOAD due to no release shared build\n";
++                            next;
++                        }
++                        # make this LD_PRELOAD_{bits}
++                        open(FP, "/bin/file $content |");
++                        my $bits = <FP>;
++                        if ($bits =~ /^.+ELF\s(\d\d)-bit.+$/) {
++                            $var .= '_'.$1;
++                        }
+                     }
+                     $ENV{$var} = "$content";
+                 }
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/curl/patches/012-CVE-2013-1944.patch	Tue Nov 19 07:55:28 2013 -0800
@@ -0,0 +1,49 @@
+From 3604fde3d3c9b0d0e389e079aecf470d123ba180 Mon Sep 17 00:00:00 2001
+From: YAMADA Yasuharu <[email protected]>
+Date: Thu, 11 Apr 2013 00:17:15 +0200
+Subject: [PATCH] cookie: fix tailmatching to prevent cross-domain leakage
+
+Cookies set for 'example.com' could accidentaly also be sent by libcurl
+to the 'bexample.com' (ie with a prefix to the first domain name).
+
+This is a security vulnerabilty, CVE-2013-1944.
+
+Bug: http://curl.haxx.se/docs/adv_20130412.html
+
+--- lib/cookie.c.orig	2013-11-18 14:05:59.517749330 -0800
++++ lib/cookie.c	2013-11-18 14:08:09.852442022 -0800
[email protected]@ -122,15 +122,29 @@
+   free(co);
+ }
+ 
+-static bool tailmatch(const char *little, const char *bigone)
++static bool tailmatch(const char *cooke_domain, const char *hostname)
+ {
+-  size_t littlelen = strlen(little);
+-  size_t biglen = strlen(bigone);
++  size_t cookie_domain_len = strlen(cooke_domain);
++  size_t hostname_len = strlen(hostname);
+ 
+-  if(littlelen > biglen)
++  if(hostname_len < cookie_domain_len)
+     return FALSE;
+ 
+-  return (bool)Curl_raw_equal(little, bigone+biglen-littlelen);
++  if(!Curl_raw_equal(cooke_domain, hostname+hostname_len-cookie_domain_len))
++    return FALSE;
++
++  /* A lead char of cookie_domain is not '.'.
++     RFC6265 4.1.2.3. The Domain Attribute says:
++       For example, if the value of the Domain attribute is
++       "example.com", the user agent will include the cookie in the Cookie
++       header when making HTTP requests to example.com, www.example.com, and
++       www.corp.example.com.
++   */
++  if(hostname_len == cookie_domain_len)
++    return TRUE;
++  if('.' == *(hostname + hostname_len - cookie_domain_len - 1))
++    return TRUE;
++  return FALSE;
+ }
+ 
+ /*